Re: [PATCH 2/2] genirq: proc: fix a procfs entry leak

[Thomas Gleixner]

On Mon, Aug 28 2023 at 21:03, Bartosz Golaszewski wrote:
> On Mon, Aug 28, 2023 at 2:41 PM Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
>> > I guess you're referring to irq_alloc_descs()? Anyway, here's a
>> > real-life example: we have the hid-cp2112 module which drives a
>> > GPIO-and-I2C-expander-on-a-USB-stick. I plug it in and have a driver
>> > that requests one of its GPIOs as interrupt. Now I unplug it. How has
>> > taking the reference to the hid-cp2112 module protected me from
>> > freeing an irq domain with interrupts in use?
>>
>> request_irq() does not care which module request the interrupt. It
>> always takes a refcount on irq_desc::owner. That points to the module
>> which created the interrupt domain and/or allocated the descriptors.
>>
>> IOW, this needs a mechanism to store the module which creates the
>> interrupt domain somewhere in the domain itself and use it when
>> allocating interrupt descriptors. So in your case this would take a
>> refcount on the GPIO module.
>>
> This is still not complete. In the above example, the USB bus can
> still unbind the GPIO device that created the domain on hot-unplug,
> triggering its cleanup routines (.remove(), devres chain) and
> destroying the domain and keeping the reference to the hid-cp2112
> module will not help it. This is why I suggested tracking the irq
> requests and freeing them in said cleanup path.

Are you actually reading what I write?

>> So in your case this would take a refcount on the GPIO module.

That's the module which provides the interrupt domain and hid-whatever
is the one which requests the interrupt, no?

Thanks,

        tglx